You're about to share your cap table, financial projections, and IP documents with investors. Before you do, you should understand exactly what's protecting those files - and what isn't.
When investors or acquirers ask for a data room, they're not just asking for a folder of files. They want a controlled, auditable environment where sensitive documents can be reviewed without leaking into the wrong hands.
Most virtual data room platforms say they use "military-grade encryption." That phrase gets thrown around a lot. Let's unpack what it actually means, how AES-256 works in practice, how secure a virtual data room really is, and whether the price tag is worth it for your stage.
What is a virtual data room?
A virtual data room (VDR) is a secure online space for storing and sharing confidential documents. It's most commonly used during fundraising, M&A due diligence, board reporting, and legal transactions.
The key difference between a VDR and a regular cloud drive like Google Drive or Dropbox is control. With a VDR, you decide who sees what, for how long, and under what conditions. You can track every view, set expiry dates on links, require NDAs before access, and revoke access at any time.
At its core, a VDR is a document control system with a security layer on top. The encryption is part of that security layer.
What is AES-256 and why does it matter?
AES stands for Advanced Encryption Standard. The 256 refers to the key length - 256 bits. This is the same standard used by the U.S. government to protect classified information, and by banks to protect financial transactions.
To put that in perspective: breaking a 256-bit AES key by brute force would require more computational energy than currently exists on Earth. It's not crackable with today's technology, and likely won't be for decades.
Here's the short version of how it works:
- 01. Your file gets encrypted before it leaves your browser. AES-256 transforms your document into an unreadable string of characters using a secret key.
- 02. The encrypted file travels over TLS (HTTPS). Even if someone intercepts the connection, they see meaningless noise - not your document.
- 03. The file sits on the server in encrypted form. The server stores the cipher, not the plaintext. Even the storage provider can't read your files without the key.
- 04. When an authorized viewer opens the file, it decrypts in real time. The key is used to reverse the process, rendering your document readable only to that authorized session.
Key concept
There are two states where your file needs protection: at rest (when it's sitting on a server) and in transit (when it's moving from server to browser). A properly configured VDR encrypts both. If a platform only mentions one, ask about the other.
At-rest vs. in-transit encryption: why both matter
This distinction trips up a lot of people. Here's a quick breakdown:
Most enterprise VDRs offer at-rest and in-transit encryption. End-to-end encryption is rarer and usually reserved for messaging apps or extremely high-security environments. For the majority of startup use cases - fundraising, due diligence, board documents - at-rest + in-transit AES-256 is more than sufficient.
How secure is a virtual data room, really?
Encryption is the foundation, but it's not the whole picture. The real security of a VDR comes from the access control layer built on top of it.
Here's what a well-configured VDR does beyond just encrypting files:
Granular permissions let you control access at the folder or document level. You can give one investor read-only access to the financials and block them from the legal section entirely. You can restrict downloading, printing, or copy-paste.
Dynamic watermarking overlays the viewer's email address or IP onto each page in real time. If a document leaks, you know exactly who it came from.
NDA gating requires visitors to accept a non-disclosure agreement before they can view anything. This creates a legal layer on top of the technical one.
Audit logs record every action: who opened which document, which pages they spent time on, when they last accessed the room. This is essential for due diligence - it shows investors are actually reviewing your materials, not just rubber-stamping.
Link expiry and access revocation mean you can cut access immediately after a deal closes or falls through. No more documents floating around in someone's inbox indefinitely.
Encryption protects your files from external attackers. Access controls protect them from authorized users who go out of bounds. You need both.
What is a VDR used for?
This question comes up a lot, especially for founders who are new to fundraising. VDRs aren't just for massive M&A deals. Here's where they actually show up in the startup lifecycle:
The common thread: documents that can't afford to end up in the wrong hands. That's when you need a VDR.
How much does a VDR cost?
This is where a lot of founders get sticker shock. Enterprise VDR providers like Intralinks, Datasite, and Venue often price by page or GB, with contracts that can run $500 to $2,000+ per month. That pricing model was designed for law firms and investment banks doing multi-billion dollar transactions - not seed-stage startups sharing a pitch deck and some financials.
Here's a realistic pricing comparison:
The honest takeaway: if you're raising a seed or Series A and you need a data room for due diligence, you don't need a $2,000/month enterprise platform. That level of tooling is built for 100+ party transactions with dedicated admins.
Ellty offers data room features without per-user pricing, which matters when you're adding 8 investors to a due diligence room and don't want a per-seat bill. For simpler use cases like pitch deck sharing with tracking, the Standard or even Free plan covers the basics.
How Ellty handles encryption and document security
Ellty uses AES-256 encryption for files at rest and TLS for files in transit - the same standard applied across the platform whether you're on the free plan or Data Room Plus.
Beyond encryption, here's what the data room features actually include:
On the Data Room plan ($149/month), you get granular permissions to control access at the document level, NDA gating so visitors must agree to terms before entering, dynamic watermarking that stamps the viewer's identity on every page, and restricted visitor access so you control exactly who gets in.
On Data Room Plus ($349/month), you add group visitor permissions for managing multiple parties efficiently, full audit logs for every action taken in the room, and capacity for up to 4,000 assets per data room - suitable for complex due diligence with heavy document loads.
Ellty works well when you need a clean, fast setup for a fundraising round or a focused due diligence process. It's not built for massive M&A transactions involving hundreds of parties and terabytes of data. If that's your scenario, you'll likely need an enterprise VDR. But for most early-stage founders, it's the right fit without the enterprise overhead.
What to look for when evaluating VDR security
Not all platforms are equally transparent about their security setup. When you're evaluating a VDR, here are the questions worth asking:
One thing to note on certifications: SOC 2 and ISO 27001 are the gold standard for VDR security validation. They require third-party audits of security controls, not just self-reported practices. If you're in an industry with strict compliance requirements (fintech, healthtech, legal), ask specifically about certifications before signing up.
Common mistakes founders make with data room security
The technology is rarely the weak point. It's the configuration.
The most common mistake is giving everyone the same access level. You don't need to give a tier-1 VC the same access as a potential strategic partner who's still in early conversations. Set permissions early and adjust as relationships develop.
Second most common: not using NDA gating. An NDA isn't just a formality - it's a legal record that an investor acknowledged the confidential nature of the materials before viewing them. If something leaks, that log matters.
Third: leaving the data room open after a deal closes or falls through. Get in the habit of revoking access immediately. It takes 30 seconds and removes a lingering risk you don't need.
Fourth: sharing sensitive documents as email attachments alongside the data room link. Once a file is in someone's inbox, you've lost control. Keep everything inside the room.
Practical tip
Before you open your data room to investors, do a test run. Create a guest account with limited access and walk through the experience yourself. Check what's visible, what's blocked, and whether the watermark and NDA gate work as expected. Five minutes of testing can prevent a serious mistake.
How pitch deck analytics fit into the security picture
If you're sharing a pitch deck before you've opened a full data room, you still want visibility. Who opened the link? Which slides did they actually read? Did they forward it to someone?
This is where document analytics become valuable - not just for security, but for sales intelligence. Knowing that an investor spent 4 minutes on your financials and zero time on the team slide tells you something useful before your next meeting.
Ellty tracking features work across the platform - whether you're using a data room or just sharing a trackable link to a pitch deck. You get real-time notifications when someone opens your document, page-by-page analytics, and time-spent data. That's separate from data room security, but it's part of the same control layer that protects and informs your fundraising process.
Frequently asked questions
How secure is a virtual data room?
A properly configured VDR is very secure for document sharing purposes. AES-256 encryption protects files at rest, TLS protects them in transit, and access control layers (permissions, watermarks, NDAs) protect against misuse by authorized parties. The biggest security risks in practice are configuration errors - giving too-broad access, not using watermarking, or leaving rooms open after deals close - not the encryption itself.
What does AES-256 encryption actually mean?
AES-256 is an encryption algorithm that scrambles your file using a 256-bit key - the same standard used by governments and financial institutions. Breaking it by brute force is computationally infeasible with current or near-future technology. When a VDR says it uses AES-256, it means files stored on their servers can't be read even if someone gains unauthorized access to the storage infrastructure.
What is a VDR used for?
VDRs are used anytime confidential documents need to be shared with external parties in a controlled, auditable way. Most common use cases: startup fundraising (sharing pitch decks and financials with VCs), M&A due diligence, board reporting, legal transactions, and real estate deals. Essentially, anywhere a shared Dropbox folder feels too risky and email attachments are too hard to control.
How much does a VDR cost?
It varies widely. Enterprise platforms like Intralinks or Datasite can run $500 to $2,000+ per month - they're priced for large M&A transactions. For startups, more accessible options exist. Ellty Data Room plan starts at $149/month and includes granular permissions, NDA gating, and dynamic watermarking, with no per-user fees. A free plan is also available for basic secure sharing with document analytics.
Do I need a VDR for a seed round, or is a shared drive enough?
For very early conversations, a shared folder may be fine. But once you're sharing detailed financials, cap tables, or term sheets with multiple parties, a VDR gives you meaningful control: you can track who viewed what, revoke access after a deal, require NDAs, and prevent downloading. A shared drive can't do any of that. The $149/month for a proper data room is usually worth it once you're in active due diligence.
What's the difference between encryption at rest and in transit?
At-rest encryption protects files while they're stored on a server - so if someone breaks into the data center or cloud storage, they can't read your files. In-transit encryption (via TLS) protects files as they travel between the server and the user's browser - so if someone intercepts your internet connection, they get gibberish. Both are necessary. Most reputable VDRs offer both; confirm before signing up.
What is dynamic watermarking and why does it matter?
Dynamic watermarking overlays identifying information - typically the viewer's email address or IP - on every page of a document in real time. The viewer doesn't add the watermark; the platform does it automatically when the document is rendered. If that document gets photographed or forwarded, the watermark traces it back to the source. It's a deterrent and a forensic tool in one.
Can I use a VDR for pitch deck sharing before I set up a full data room?
Yes, and it makes sense to. Sharing a trackable pitch deck link gives you analytics on investor engagement - which slides they viewed, how long they spent, whether they came back - before you've opened a full due diligence room. Ellty supports this use case: trackable links and page-level analytics are available on the free and standard plans, and you can upgrade to full data room features when you need them.
How quickly can I set up a virtual data room?
With modern platforms, a basic data room can be configured in under an hour. You upload your documents, organize them into folders, set permissions per viewer or group, configure NDA gating if needed, and send links. Enterprise platforms with complex admin setups can take longer, but for a startup fundraising use case, fast setup is realistic. Ellty is designed specifically for this - minimal configuration overhead, functional out of the box.
What security certifications should a VDR have?
SOC 2 Type II and ISO 27001 are the most recognized. SOC 2 Type II means an independent auditor has verified the platform's security controls over a sustained period - not just a point-in-time snapshot. ISO 27001 is an international standard for information security management. If you're in a compliance-heavy industry, ask specifically which certifications a provider holds before committing. Don't rely on marketing claims - ask for documentation.
